diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/0015-fix-canonicalization-issue-in-Web-UI.patch b/SOURCES/0015-fix-canonicalization-issue-in-Web-UI.patch
new file mode 100644
index 0000000..6ca8590
--- /dev/null
+++ b/SOURCES/0015-fix-canonicalization-issue-in-Web-UI.patch
@@ -0,0 +1,62 @@
+From a0928fe164712303a7c24ee61500ac7326bd9e4a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 23 Aug 2022 16:58:07 +0300
+Subject: [PATCH] fix canonicalization issue in Web UI
+
+When Kerberos principal alias is used to login to a Web UI, we end up
+with a request that is authenticated by a ticket issued in the alias
+name but metadata processed for the canonical user name. This confuses
+RPC layer of Web UI code and causes infinite loop to reload the page.
+
+Fix it by doing two things:
+
+ - force use of canonicalization of an enterprise principal on server
+ side, not just specifying that the principal is an enterprise one;
+
+ - recognize that a principal in the whoami()-returned object can have
+ aliases and the principal returned by the server in the JSON response
+ may be one of those aliases.
+
+Fixes: https://pagure.io/freeipa/issue/9226
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Armando Neto <abiagion@redhat.com>
+---
+ install/ui/src/freeipa/ipa.js | 8 +++++++-
+ ipaserver/rpcserver.py | 1 +
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
+index 758db1b00..a08d632e9 100644
+--- a/install/ui/src/freeipa/ipa.js
++++ b/install/ui/src/freeipa/ipa.js
+@@ -271,7 +271,13 @@ var IPA = function () {
+ var cn = that.whoami.data.krbcanonicalname;
+ if (cn) that.principal = cn[0];
+ if (!that.principal) {
+- that.principal = that.whoami.data.krbprincipalname[0];
++ var principal = data.principal;
++ var idx = that.whoami.data.krbprincipalname.indexOf(principal);
++ if (idx > -1) {
++ that.principal = principal;
++ } else {
++ that.principal = that.whoami.data.krbprincipalname[0];
++ }
+ }
+ } else if (entity === 'idoverrideuser') {
+ that.principal = that.whoami.data.ipaoriginaluid[0];
+diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
+index 1f85e9898..4e8a08b66 100644
+--- a/ipaserver/rpcserver.py
++++ b/ipaserver/rpcserver.py
+@@ -1109,6 +1109,7 @@ class login_password(Backend, KerberosSession):
+ ccache_name,
+ armor_ccache_name=armor_path,
+ enterprise=True,
++ canonicalize=True,
+ lifetime=self.api.env.kinit_lifetime)
+
+ if armor_path:
+--
+2.37.3
+
diff --git a/SPECS/freeipa.spec b/SPECS/freeipa.spec
index a386ef9..fe340ad 100644
--- a/SPECS/freeipa.spec
+++ b/SPECS/freeipa.spec
@@ -198,7 +198,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
-Release: 6%{?rc_version:.%rc_version}%{?dist}
+Release: 7%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@@ -232,6 +232,7 @@ Patch0011: 0011-ipatests-Fix-expected-object-classes.patch
Patch0012: 0012-doc-Update-LDAP-grace-period-design-with-default-val.patch
Patch0013: 0013-Set-default-gracelimit-on-group-password-policies-to.patch
Patch0014: 0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch
+Patch0015: 0015-fix-canonicalization-issue-in-Web-UI.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@@ -1740,6 +1741,10 @@ fi
%endif
%changelog
+* Tue Oct 25 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.10.0-7
+- Resolves: rhbz#2124547 Attempt to log in as "root" user with admin's password in Web UI does not properly fail
+- Resolves: rhbz#2137555 Attempt to log in as "root" user with admin's password in Web UI does not properly fail [rhel-9.1.0.z]
+
* Fri Aug 19 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.0-6
- Resolves: rhbz#2110014 ldap bind occurs when admin user changes password with gracelimit=0
- Resolves: rhbz#2112901 RFE: Allow grace login limit to be set in IPA WebUI